The Government Commission has decided on amendments of the DCGK that lead to higher demands on Compliance Management Systems.

On February 7, 2017, the Government Commission German Corporate Governance Code (the ‘Commission’) decided on several modifications of the Code (hereinafter ‘GCGC’ or the ‘Code’). For the first time, the Code explicitly requires the establishment of a Compliance Management System (CMS) and amends subsection 4.1.3 GCGC significantly by recommending:

Establishment of a CMS

Disclosure of the main features of the CMS

Establishment of a whistleblower system for employees and third parties

1. Establishment of a CMS

Sec. 4.1.3 sentence 1 GCGC already referred to the obligation of the Executive Board to ensure compliance with statutory regulations and company guidelines prior to the revision. This shows that the Commission undoubtedly recognizes compliance duties resulting from the principle of legality (‘Legalitätsprinzip’).

The new sec. 4.1.3 sentence 2 GCGC provides that the Executive Board should take appropriate measures based on the risk situation of the company (Compliance Management System) and disclose the main features of such system.

The wording ‘should’ shows that the establishment of a CMS is not required by law, but is only a recommendation by the Commission. However, on the basis of the “Comply-or-Explain” principle under sec. 161 subsection 1 sentence 1 AktG, companies have to explain when deviating from a Commission’s recommendation and publish such explanation on the company’s website (sec. 161 subsection 2 AktG). This explanation requirement might lead to a ‘de facto’ obligation to implement such CMS as it can be expected that management boards do not want to explain why they have decided not to comply with the CMS recommendation.

It remains unclear whether such “obligation” comprises the whole group of companies (‘Konzern’). However, in view of the wording of subsection 4.1.3 sentence 1 GCGC that refers to the whole group of companies, this may be assumed when reading both sentences together.

2. Structure of the CMS

With respect to the structure of the CMS, the Code remains vague – the CMS should be appropriate and based on the company’s legal risks. This abstract approach is in accordance with the common view, that there is no “one-size-fits-all” CMS. Rather, every CMS must be preceded by a detailed risk assessment. Such risk assessment is a precondition in order to identify ‘red flags’ (especially legal risks) and to subsequently address and control them by means of tailored compliance measures.

3. Disclosure of the main features of the CMS

Furthermore, the Code stipulates that the main features of the CMS shall be disclosed. In this regard, the Code intentionally leaves the choice of media to the Executive Board. A disclosure on the company’s website or in the Corporate Governance Report (according to subsection 3.10 GCGC) are two of the conceivable options.

4. Establishment of a whistleblower system for employees

‚Employees shall be granted the opportunity to report statutory violations in a secure and proper way.‘

This provision for the first time includes the recommendation to set up a protected information system (whistleblower system) for employees. Most companies already have a more or less substantial CMS. However, numerous companies forego the establishment of a whistleblower system (also known as ‚Whistle-Blower-Hotline‘) so far, as it leads to further data protection, labor law and organizational implications (e.g. IT infrastructure). Moreover, anonymous hints need to be investigated, which in turn implicates further effort. Even though the recommendation for a whistleblower system may be very surprising for some, it is worth its weight in gold, because only a living compliance organization (this includes a whistleblower system) can result in avoidance of liability (monetary fines due to compliance violations are in most cases based on sec. 30, 130 OWiG or sec. 81 GWB).

5. Establishment of a whistleblower system for third parties

Further, the Commission suggests the establishment of a whistleblower system for third parties. According to the Code’s expectation, third parties shall also be granted the opportunity to report irregular practices or suspected cases. As this is only a suggestion (‘should’), there is no need to execute a compliance or non-conformance statement according to sec. 161 subsection 1 AktG if such system is not introduced.

6. Implications on Corporate Compliance Practice

The Code is considered as a commitment of good corporate governance and primarily addresses German listed companies and companies with access to capital markets according to sec. 161 subsection 1 sent. 2 AktG. However, the practice shows that market standards – also for other legal entities – have been created due to the Code’s guidelines and their implementation. The development of market standards can also be expected for the implementation, content and range of influence of a CMS.

We are pleased to provide you with more detailed information on the implications of the Code’s revision and to assist you in case of questions concerning your own CMS.